Conversation

Daniel Micay

@DanielMicay

·

May 3, 2021

It's quite annoying that this isn't built-in to nginx: https://github.com/GrapheneOS/nginx-rotate-session-ticket-keys… It should rotate the TLS ticket keys like Caddy. It's similarly to how you need to handle OCSP with an external script for nginx in order to make it work reliably. It could easily do it internally.

github.com

GitHub - GrapheneOS/nginx-rotate-session-ticket-keys: Session ticket key rotation scripting /...

Session ticket key rotation scripting / systemd units for nginx to work around the lack of built-in support. This may eventually be extended to support syncing keys across a group of servers provid...

1

5

Daniel Micay

@DanielMicay

·

May 3, 2021

You still need to handle it externally in order to sync them to across multiple servers providing the same service. It shouldn't be necessary for the common case. https://github.com/tomwassenberg/certbot-ocsp-fetcher… is what's needed for implementing OCSP stapling reliably. Could be so much simpler in nginx.

1

Daniel Micay

@DanielMicay

·

May 3, 2021

Caddy is the only option handling either of these things properly. It doesn't work for our use cases though. If you have simpler needs then that's a good way to avoid dealing with this kind of nonsense yourself. TLS 1.3 makes the ticket situation better but it's still a problem.

3

1

𝘏𝘢𝘤𝘒𝘢𝘯

@HacKanCuBa

·

May 3, 2021

Replying to

@DanielMicay

is it a good idea to use `openssl -rand` instead of `dd if=/dev/urandom`?

1

Daniel Micay

@DanielMicay

Replying to

@HacKanCuBa

/dev/urandom doesn't wait for the CSPRNG to be properly initialized in early boot. /dev/random was fixed in Linux 5.6 but this code needs to work properly on older kernels. I can't call getrandom(...) from Bash directly. OpenSSL seeds their CSPRNG with it so that works fine.

10:25 PM · May 3, 2021·Twitter Web App

1

Like